Domain 4.0 – Application, Data and Host Security – 16%
System Security is our initial set of best practices. It includes:
- Disabling non-essential systems and services
- Hardening operating systems by
- Applying updates and
- Securing file systems
- Hardening applications by
- Hardening servers (daemons or services) and
- Hardening data stores
- Hardening networks through
- Firmware upgrades and
- Secure network configuration
In Windows, view Services:
Start > Settings > Control Panel > Administrative Tools > Services
the msconfig command from Start > Run
the services.msc command from Start > Run
- Visit www.microsoft.com/technet or www.BlackViper.com for discussion of any services with which you’re not familiar.
- Note that services can be Automatic, Manual or Disabled.
- Probably the single most dangerous service is UPnP, Universal Plug-and-Play. Unless you have a specific, compelling reason to enable this, disable it.
- Service names and display names in the Services applet are not always the same.
In Linux, view processes with:
Generally, services are processes ending with a “d,” e.g. httpd.
Services, Port Numbers and Sockets:
- The combination of an IP address and a port number is a socket (e.g. 192.168.2.1:80).
- Most ports are available to both TCP and UDP.
- A total of 65,535 ports are available.
- The first 1,023 are called the “well-known port numbers.”
- Service Packs are cumulative sets of updates
- Hotfixes are single-issue fixes, typically correcting software problems, not security issues
- Patches are software updates, often to correct security problems
Popular Patch Management Systems for Windows are Windows Update Services (for standalone computers), Microsoft Operations Manager (MOM, formerly known as Software Update Services, SUS, and by other names), and the Shavlik family of security/patch management tools.
- Patches typically require re-compiling software, or performing an upgrade installation of binary software distributions
Red Hat provides update services through the Red Hat Network update system.
This is all about restricting user access, primary through Access Control Lists (ACLs).
- NTFS allows file and folder access permissions (though older versions only controlled folder permissions).
- FAT32 provides no access control
- Active Directory provides domain-based management (and replaces the older NT Domain model)
- The Microsoft Management Console (MMC) is a utility that can control almost every aspect of a system.
- MMC accepts “snap-ins” for expanded functionality
- The Security Template snap-in organizes security attributes in one screen
- Groups of computers sharing a security configuration are Group Policy Objects
- Group Policy Settings define these configurations
- Domain-based settings, however, cannot be overridden by group policy settings
- Basic file and folder permissions can be controlled at the operating system level
- Larger networks use domain services and directories:
- Network Information Service (NIS)
- Novell Directory Services
- Sun, Netscape and other directory services
- Use the Microsoft Baseline Security Manager (MBSA) to analyze
- Security settings
- Application update compliance
- Use update management tools from Red Hat, SuSE and others
- Stay current with specific product updates for applications and services such as Sendmail, Apache and MySQL, for example
You are personally responsible for staying current with vulnerabilities. Subscribe to security bulletins such as Shavlik Technologies [firstname.lastname@example.org].
- Tightly configure ACLs
- Delete sample files
- Delete sample scripts!
- Delete unused or obsolete scripts and software
- Use IPSec, SSL (port 22, TCP and UDP) or HTTPS to encrypt sensitive traffic
- Web servers (HTTP, port 80, TCP and UDP) should provide only this service
- Web servers should live in a DMZ, not inside a network’s main firewall
- Use HTTPS or Secure HTTP (port 443 TCP) to encrypt sensitive traffic
- E-mail servers should live in a DMZ, not inside a network’s main firewall
- E-mail servers (POP, port 110, SMTP, port 25) should provide only this service
- E-mail system administrators must know what an “open relay” is, and must make sure their server is not an open relay
- Visit www.abuse.net/relay.html and enter the name of your email server, and click “Test for relay” for independent verification
- Old-fashioned FTP is highly vulnerable because it passes login names and passwords as unencrypted traffic
- Turn off Anonymous Login unless it is critical to provide it
- Set the ACL to read-only whenever possible
- Limit the number of login attempts
- Limit the number of sessions
- DNS servers are the most potentially toxic servers on the Internet
- DNS servers update each other through Zone Transfers, which is a major vulnerability
- DNS servers can be attacked by cache poisoning
- Prevent this by closing port 53 (used for zone transfers), or
- Rejecting inbound connections on port 53, or
- Explicitly designating which servers are trusted to receive zone transfers
File and Print Servers
- Require authentication for access
- Let users pause or cancel only their own print jobs
- Give users ACL permissions to their own folders and files, but no others
- Whenever possible, allow only read-only access to public folders
- Give read and write access only for group folders
- Be very cautious with execute permissions for folders:
- In Windows, denying execute will prevent software execution
- In Linux, denying execute will prevent browsing and listing
- Disable this service unless you specifically need it
- Keep DHCP servers patched
- Active Directory controls domains
- The Security Accounts Manager (SAM) database controls domain accounts, and must be protected
SQL Server also requires protection from:
- Buffer overflow attacks
- Malicious SQL commands (including SQL injection from malicious URL formation)
- As you version of SQL Server permits, encrypt its data
- Only the user logged into the local host containing the SQL Server should be allowed full administrative rights
BelArc Advisor: Knowing what you’ve got that works
Nessus: Knowing what you’ve got that doesn’t
Don’t forget Ethereal/Wireshark: http://www.wireshark.org/